SBN

VOIPPACK 1.4 with added support for Cisco and Trixbox

Last week we distributed a new version of VOIPPACK with the following new tools:

Cisco environment:

  • vp_cucmjailbreak  : Given an ssh username and password for CUCM’s restricted shell, this script creates a new root user and installs MOSDEF
  • vp_ciscophonescanner : Searches for Cisco phones on the target network by using HTTP and DNS probes
  • vp_cucmtftplist : Makes use of CUCM’s “TFTP” server to list the phone’s mac addresses / phone names

Trixbox / FreePBX environment:

  • vp_fopextensionenum : Enumerates extensions on FreePBX through the flash operator panel
  • vp_freepbx_exec1 : Installs MOSDEF on vulnerable Trixbox or FreePBX servers given a username and password for the admin interface

Generic:

  • vp_mgcpscanner : A generic MGCP network scanner

Additionally we improved vp_sipenumerate to be able to scan Asterisk servers regardless of the alwaysauthreject option in Asterisk and work better wtih vp_bypassalwaysreject too!

What does cucmjailbreak do?

This is a new tool that automates the procedure outlined on Recurity lab’s blog and allows CANVAS to install MOSDEF. This effectively allows you to use stolen Cisco Call manager credentials to fully compromise the server. The following video demonstrates the tool in action:

What does fopextensionenum do?

When trying to gain access to phone extensions on a target PBX server, attackers first need to find out which extensions exist on the server. Typically one would use features in SIP to do this, however an easier method is to abuse the Flash Operator Panel (FOP) to enumerate extensions easily. The following video demonstrates the tool in action:

What does ciscophonescanner do?

This tool scans a target IP address range and extracts the names of each phone found. It currently does this by making use of 2 methods: reverse DNS names and connecting to the HTTP interface of the Cisco phone.  Video demo:

What about the other tools?

  • CUCM TFTP list tool (vp_cucmtftplist) makes use of the Cisco CallManager’s special TFTP server which allows listing of the files on the TFTP server
  • FreePBX exec1 tool (vp_freepbx_exec1) allows installation of MOSDEF on a target vulnerable Trixbox and FreePBX by abusing an unpatched php script in the administrative section. This leads to root access to the target server
  • We also added a generic MGCP scanner (vp_mgcpscanner) which helps finding devices that speak the protocol

That’s it for now. For more information about VOIPPACK take a look at the products page.

*** This is a Security Bloggers Network syndicated blog from EnableSecurity authored by Sandro. Read the original post at: https://enablesecurity.wordpress.com/2011/01/25/voippack-1-4-with-added-support-for-cisco-and-trixbox/